Ooma Khurana
Ooma advises public and private sector clients in information technology, consumer markets and telecommunications sectors, particularly in relation to regulatory compliance and technology.
View profile
On 26 August 2025, the Australian Privacy Commissioner, Carly Kind, determined that Kmart had breached the Privacy Act 1988 (Privacy Act) by using facial recognition technology (FRT) to capture and analyse images of the faces of individuals entering several of its stores between June 2020 and July 2022 (the Kmart Decision). The Kmart Decision builds on and reinforces the Commissioner’s 2024 decision regarding Bunnings’ similar use of FRT in its stores (Bunnings Decision).
Kmart used FRT systems at 28 stores during the relevant period.
Importantly, the face of every person entering a store or attending the returns service desk was captured by CCTV. The FRT system used the resulting images to match the customers’ biometric information with images stored in a database containing the details of customers who were considered ‘persons of interest’ (being individuals who had attempted, or were suspected of having attempted, to make fraudulent returns at a Kmart store).
If a match occurred, the system alerted Kmart staff. The staff would then review the CCTV footage manually, and decide whether to continue with the refund.
Kmart claimed that this process was intended to prevent refund fraud.
This use of FRT constituted a collection and use of sensitive information for the purposes of the Privacy Act and Australian Privacy Principles (APPs), as the resulting images and maps of ‘facial vectors’ were biometric information. The key question was therefore whether the collection was compliant with Kmart’s obligations under APPs 1, 3 and 5.
Kmart did not contest that it had not obtained consent to the collection (which it ordinarily would have been required to do by APP 3.3). It instead sought to rely on the exception in APP 3.4, which allows for the collection of sensitive information without consent if a permitted general situation (PGS) under section 16A of the Privacy Act exists. Kmart argued that a PGS exception applied because:
The Commissioner was satisfied that Kmart had established the first element, but found that Kmart had failed to satisfy the second element.
While the Commissioner accepted that it was appropriate for Kmart to take action to detect and prevent refund fraud, she considered that FRT was merely one tool by which Kmart could have implement appropriate action in relation to the unlawful activity. Importantly, it was also necessary to consider the suitability of the use of FRT, having particular regard to:
In summary, the Commissioner found that less intrusive alternatives were available and that the use of FRT was disproportionate to the accompanying interference with privacy of the thousands of individuals who entered one of the stores during the relevant period.
This is similar to the conclusion that the Commissioner reached in the Bunnings Decision, where Bunnings’ arguments that a PGS exception justified the collection of sensitive information without consent was rejected.
Given that Kmart had failed to obtain consent, and that the PGS exception did not apply, the Commissioner found that Kmart had breached APP 3.3.
In most circumstances, APP 5.1 requires individuals to be notified about the collection of their personal information, including sensitive information. The notice generally needs to contain the information specified in APP 5.2.
While Kmart provided some general notice of its collection (through a notice at the entry to its stores, posters within the stores, and its privacy policies) The Commissioner found that Kmart should have taken additional steps to notify individuals about its use of FRT.
In coming to this view, the Commissioner found that the notices provided by Kmart were not sufficient because they should have contained more detailed information about the FRT system in line with APP 5.2, and were not uniformly deployed in all stores.
Given that Kmart had failed to adequately notify individuals of the collection of their personal information, the Commissioner found that it had breached APP 5.2. The Commissioner also found that the inadequacy of the privacy policies themselves regarding FRT resulted in Kmart also having breached APP 1.3, as it did not have a clearly expressed and up-to-date APP privacy policy containing the information required by APP 1.4.
The Commissioner did not impose a financial penalty, but did, among other things, order Kmart to make an apology and to destroy all personal information it still held that was obtained or generated through its use of FRT.
Similar orders were made in the Bunnings Decision, which is currently under review by the Administrative Review Tribunal.
Both the Kmart and Bunnings Decisions provide a clear framework for analysing compliance risks associated with the implementation of FRT. Key takeaways include:
These are, of course, a non-exhaustive list of issues, and ones that are likely to have evolving answers as our expectations of privacy change and FRT evolves at pace.
The Commissioner has emphasised that her decisions do not constitute a ban on FRT – in a blog on 18 September 2025, she stated ‘It may be tempting to suggest that my successive determinations amount to an effective ban on the use of this technology. However, that is incorrect; the Privacy Act is technology-neutral.’
FRT is part of the technological future we are all facing (pun intended).
It is already being deployed by many entities across Australia, including in airports and other high security risk areas. It is also being actively considered by governments for use in other settings (e.g. the NSW Government is currently considering consultation comments on a Code of Practice it has developed for the use of FRT in hotels and clubs).
Please reach out to one of our Maddocks privacy and data experts if you are using, or considering implementing, FRT to ensure you can reach the high bar that is currently being set for privacy compliance.
Ooma advises public and private sector clients in information technology, consumer markets and telecommunications sectors, particularly in relation to regulatory compliance and technology.
View profileKatherine has a highly regarded and dynamic practice in information law, with a particular focus on privacy and data protection.
View profileIndi provides high‑quality privacy, FOI, probity and procurement advice to Australian Government clients, including PIAs for complex ICT systems and Privacy Act guidance.
View profileKeep up to date with our legal insights and events
Sign up
Partner
Sydney